I'm working on the exam, but will be back to add outline items. In the meantime, feel free to add your own outline.
Organizational Governance: Process by which organizations select objectives. Establish processes to achieve objectives and monitor performance.
According to a Position Paper of the Institute of Internal Auditors dated 7/12/06 (per the Organization for Economic Co-operation and Development) - "Organizational Governance - Guidance for Internal Auditors," organizational governance is defined as a "set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined."
Enterprise Risk Management: "A process, effected by an entity's BOD, management and other personnel, applied in the strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Enterprise Risk Management Framework
Components of ERM:
1) Internal Environment - Tone at the top. How risk is viewed and addressed by entity's people. General attitude towards internal control.
2) Objective setting- An entity needs objectives before it identifies the events that may effect it. Objectives should align with entity's mission. Objective setting includes defining the mission, vision, purpose, and strategies to establish relationships.
3) Event identification- Internal and external events affecting achievement of the objectives.
4) Risk assessment- Likelihood and impact of risk. How should they be managed.
5) Risk response- Possible courses of action. Avoid, Reduce, share, accept.
6) Control Activities- Processes to ensure that planned risk response is followed.
7) Information and communication- Identify, capture and communicate information across entity. Vertical and horizontal.
8) Monitoring- Evaluation of processes to determine effectiveness. Advocate changes if necessary.
Risk Assessment Framework
Internal Control: " A process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations." Components of Internal Control: Control environment, risk assessment, control activities, information & communication, monitoring. Hierarchy of internal controls:
Control Environment - overall policies and procedures that demonstrates an entity's commitment to the importance of controls (sets the tone of an organization)
Pervasive Controls - address multiple goals and apply to many processes
Business Process Controls - Relate to specific AIS processes. It is described more fully below
Business Process Control Goals
1. Operations Process Control Goals
Effectiveness - eg cash deposits are deposited to bank daily
Efficiency - cost of the computers and the people depositing the cash
Safeguarding of assets - eg for a bank, cash is transported via armored cars
2. Information Process Controls Goals
This is subdivided between input and master data Business Event Inputs
Validity - Input information is valid
Accuracy - The information is input into the system accurately
Completeness - All of the information is input into the system. There are no omissions
Master Data
Master files are updated accurately
Master files are updated completely
Types of Internal Controls
Preventative - Controls to prevent the issue from occurring eg armored cars are used by banks to transport cash to prevent theft of cash
Detective - controls to discover issues - eg bank reconciliations may reveal unauthorized cash disbursements
Corrective - Controls provide information to correct the issue for eg an exception transaction journal may produce a list of transactions rejected and clerk corrects the errors and re-enters the transactions.
Organizational Governance: Process by which organizations select objectives. Establish processes to achieve objectives and monitor performance.
According to a Position Paper of the Institute of Internal Auditors dated 7/12/06 (per the Organization for Economic Co-operation and Development) - "Organizational Governance - Guidance for Internal Auditors," organizational governance is defined as a "set of relationships between a company's management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined."
Enterprise Risk Management: "A process, effected by an entity's BOD, management and other personnel, applied in the strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Enterprise Risk Management Framework
Components of ERM:
1) Internal Environment - Tone at the top. How risk is viewed and addressed by entity's people. General attitude towards internal control.
2) Objective setting- An entity needs objectives before it identifies the events that may effect it. Objectives should align with entity's mission. Objective setting includes defining the mission, vision, purpose, and strategies to establish relationships.
3) Event identification- Internal and external events affecting achievement of the objectives.
4) Risk assessment- Likelihood and impact of risk. How should they be managed.
5) Risk response- Possible courses of action. Avoid, Reduce, share, accept.
6) Control Activities- Processes to ensure that planned risk response is followed.
7) Information and communication- Identify, capture and communicate information across entity. Vertical and horizontal.
8) Monitoring- Evaluation of processes to determine effectiveness. Advocate changes if necessary.
Risk Assessment Framework
Internal Control: " A process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations."
Components of Internal Control: Control environment, risk assessment, control activities, information & communication, monitoring.
Hierarchy of internal controls:
Business Process Control Goals
1. Operations Process Control Goals
2. Information Process Controls Goals
This is subdivided between input and master data
Business Event Inputs
- Validity - Input information is valid
- Accuracy - The information is input into the system accurately
- Completeness - All of the information is input into the system. There are no omissions
Master Data- Master files are updated accurately
- Master files are updated completely
Types of Internal Controls